Parent Directory
|
Revision Log
| Links to HEAD: | (view) (download) (annotate) |
| Sticky Revision: |
* modules/dav/main/util.c (dav_validate_resource_state): Fix error message formatting if an unauthenticated user tries to use an authenticated user's lock token (cosmetic fix only).
Add MS-WDV support MS-WDV specification: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wdv The changes introduces the DAVMSext directive, which is used to enable MS-WDV: DAVMSext +WDV dav_get_timeout_string() is introduced as a variant of dav_get_timeout(). The former parses a string, the later parse the Timeout HTTP header.
SECURITY: CVE-2006-20001 (cve.mitre.org) Address a memory read, or write of single zero byte, past the end of the If header (heap memory). * modules/dav/main/util.c (dav_process_if_header): Fix error path for "Not" prefix parsing.
mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too.
Follow up to r1879074: don't let dav_process_if_header() go above root. And fall through as "/".
Add ap_normalize_path() to replace ap_getparents() (with options).
include/httpd.h: Declare ap_normalize_path() and flags.
AP_NORMALIZE_ALLOW_RELATIVE:
Don't require that the path be absolute as per RFC 7230.
This is needed for lookup subrequests.
AP_NORMALIZE_NOT_ABOVE_ROOT:
Check that directory traversal ("..") don't go above root, or
initial directory with relative paths.
AP_NORMALIZE_DECODE_UNRESERVED:
Decode unreserved characters (like '.') first since they have
the same semantics encoded and decoded.
AP_NORMALIZE_MERGE_SLASHES:
Merge multiple slahes into a single one.
AP_NORMALIZE_DROP_PARAMETERS:
Ignore path parameters (";foo=bar"). Not used by httpd but since
ap_normalize_path() is taken from mod_jk's jk_servlet_normalize()
it can allow them to use the upstream version now.
server/util.c: Implement ap_normalize_path().
modules/dav/main/util.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_DECODE_UNRESERVED flag since
the path comes from an obsolute URL (thus potentially %-encoded).
modules/generators/mod_autoindex.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_ALLOW_RELATIVE and
AP_NORMALIZE_NOT_ABOVE_ROOT flags to be consistent with original code.
include/ap_mmn.h: MINOR bump for ap_normalize_path().
* module/dav/main/util.c (dav_check_bufsize): Don't call memcpy(,NULL,0) if the buffer is uninitialized, to avoid tripping UBSan. (Unclear if this is valid for this API.)
* Replace apr_psprintf with apr_pstrcat where the format strings only contain %s to improve efficiency. Leave out error messages as they are not on a crtical code path and error message become less readable when taking out the format specifiers.
Fix spelling in comments and text files. No functional change. PR 59990
Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen
More ap_casecmpstr[n]() usages (follow up to r1715876).
In order to save a few cycles, delay a hash table lookup which is not necessary needed
mod_dav: Avoid doing the walk on a COPY source for handling preconditions if
there are no preconditions provided.
* modules/dav/main/util.c:
(dav_validate_request): avoid validating locks and ETags when there are
no If headers providing them on a resource we aren't modifying.
Typo in comment
SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. * modules/dav/main/util.c (dav_xml_get_cdata): reduce len variable when increasing cdata pointer. Submitted by: Amin Tora <Amin.Tora neustar.biz>
mod_dav: Fix PR 55306.
Makes mod_dav no longer require that the lock token be provided when the
source of a COPY is locked. The prior behavior was in violating of
RFC 4918 which says that the lock token is only required on resources
that may be modified by the method.
* modules/dav/main/mod_dav.h
(DAV_VALIDATE_NO_MODIFY): New flag to be passed to dav_validate_* functions.
* modules/dav/main/mod_dav.c
(dav_method_copymove): Use the new flag when calling dav_validate_request()
on the COPY source.
* modules/dav/main/util.c
(dav_validate_resource_state): Use the flag to decide to ignore if the lock
token is not provided.
Fix indentation (plus now needed line-wrap). Followup to r1470940.
mod_dav: Make sure the URI length is calculated correctly.
mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 Patch submitted by Timothy Wood <tjw omnigroup com> Tested by William Lewis <wiml omnigroup com>
mod_dav: Improve error handling in dav_method_put(), add new dav_join_error() function. PR: 54145 Submitted by: Ben Reser <ben reser.org> Reviewed by: trawick
[Test] First try : remove extra ';'
Cleanup effort in prep for GA push: Trim trailing whitespace... no func change
CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. If a specially crafted request was sent, it is possible to crash mod_dav, mod_cache or mod_session, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick
Remove errno from dav_error interface. Calls to dav_new_error() and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. Reviewed by: jorton
* Avoid SEGFAULT as hooks->set_headers can be NULL. Furthermore do not set the ETag header permanently as setting it may not be desired for all responses. Submitted by: niq, rpluem
* Style police. No functional changes.
mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034 Patch by Paritosh Shah Explanation by Werner Baumann
update license header text
Update the copyright year in all .c, .h and .xml files
No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines
Fix handling of unknown state tokens in If headers: * modules/dav/main/mod_dav.h: Add dav_if_unknown to dav_if_state_type enum. * modules/dav/main/util.c (dav_add_if_state): Set returned type to dav_if_unknown for an unknown state token. (dav_validate_resource_state): Evaluate dav_if_unknown to fail match unless in a Not condition. PR: 37288
* modules/dav/main/mod_dav.h: Wrap all public functions in DAV_DECLARE or DAV_DECLARE_NONSTD. * modules/dav/main/liveprop.c, modules/dav/main/props.c, modules/dav/main/util_lock.c, modules/dav/main/mod_dav.c, modules/dav/main/std_liveprop.c, modules/dav/main/util.c: Update function definitions. Submitted by: Branko Čibej <brane xbc.nu> Reviewed by: Justin Erenkrantz
Update copyright year to 2005 and standardize on current copyright owner line.
FINALLY Correct ap_http_method()! It is NOT a method, it's a SCHEME! Bumped mmn, and ap module cookie, for this function rename. It's not a deprecation, as ap_http_method would be a lovely function name sometime in the future: to determine what the function name implies.
general property cleanup
Forward-port from mod_dav 1.0: * modules/dav/main/util.c (dav_validate_resource_state): Fix a 2617 violation: if the lock user validation fails, rather than giving a 401 without a WWW-Authenticate header, give a 403.
fix name of The Apache Software Foundation
apply Apache License, version 2.0
update license to 2004.
stop using apr_sockaddr_port_get() accessor function, as it will disappear from APR 1.0 API shortly
* modules/dav/main/util.c (dav_validate_resource_state): Simplify weak etag comparison to avoid unnecessary tests and pstrdup calls.
Fix a typo in the weak entity check. The prefix is W/" not "W/.
finished that boring job: update license to 2003. Happy New Year! ;-))
fix misuse of const in a recent commit warnings with recent gcc compile break with native compiler for AIX
Allow mod_dav to do weak entity comparison function rather than a strong entity comparison function. (i.e. it will optionally strip the W/ prefix.) PR: 14921 (kinda, but not really)
Fix If header parsing when a non-mod_dav lock token is passed to it. We'll now just skip over it rather than aborting. PR: 16452
When unlocking, the auto-checkin code does not need to refer to the parent resource. We want to (possibly) check in only the resource identified by the params. Bug found by David Waite <mass@akuma.org>
Detabbify. With extreme prejudice.
Continue the Bill Rowe apr_size_t crusade.
Renames Pending: This clears the list of renames pending in apr-util. Parts of this list was alreadu done, but the pending list hadn't been updated. apr_hook_debug_current from apr_current_hooking_module apr_hook_debug_show from apr_show_hook apr_hook_global_pool from apr_global_hook_pool apr_hook_sort_all from apr_sort_hooks apr_uri_port_of_scheme from apr_uri_default_port_for_scheme apr_uri_unparse from apr_uri_unparse_components apr_uri_parse from apr_uri_parse_components apr_uri_parse_hostinfo from apr_uri_parse_hostinfo_components apr_uri_t from apr_uri_components All APR_URI_* from all APU_URI_* symbols All APR_UNP_* from all UNP_* symbols PR: Obtained from: Submitted by: Thom May Reviewed by:
The real pain. ap->apr xml and text types.
Update our copyright for this year.
Give mod_dav the ability to output both standard and customized
<D:error> responses. It's crucial for marshalling svn error messages
back over to the client; and someday it will be needed to return
specific <DAV:> errors as dictated by the DeltaV spec.
* mod_dav.h (dav_error): add two new fields -- an optional error
namespace, and an error-tag-name. Remove the 'delayed computation'
function and cxt ptrs in this struct; they were never used.
(dav_new_error_tag): new alternative constructor that takes new
fields.
* util.c (dav_new_error_tag): implement constructor.
* mod_dav.c (dav_error_response_tag): new function to output
'standard' xml error response based on error struct.
(dav_handle_err): if no multistatus response is passed in, and if an
error-tag is defined, then call our new xml-output routine.
Submitted by: Ben Collins-Sussman <sussman@collab.net>
dav_xml_get_cdata() is an exported function, so mark it as such with the DAV_DECLARE macro. [ Barry Pederson <barryp@yahoo.com> ] Apache's handling of ports is broken. Temporarily disable the port checking in the Destination: header. [ Greg Stein ]
Need to store the pool into the xmlns structure.
Add an opaque datatype for managing a set of XML namespace declarations. Part of an upcoming propdb API improvement.
adjust to apr_uri_ rename
adjust to UNP_ -> APR_URI_UNP_ rename
Moved util_uri to apr-util/uri/apr_uri, which means adding the apr_ prefix to all of the uri functions (yuck), changing some includes, and using APR error codes instead of HTTP-specific error codes. Other notes to test this patch: - You need to delete the util_uri.h file - exports picks up on this. - I'd like to remove the apr_uri.h from httpd.h, but that might increase the complexity of this patch even further. Once this patch is accepted (in some form), then I can focus on removing apr_uri.h from httpd.h entirely. I need baby steps (heh) right now. - I imagine that this might break a bunch of stuff in Win32 or other OS builds with foreign dependency files. Any help here is appreciated. This is a start... -- justin Submitted by: Justin Erenkrantz Reviewed by: Roy Fielding
Initialize a local variable to prevent a gcc warning about possible use before set. The code was fine but it is best to keep gcc quiet lest we stop paying attention.
fast-path some cases, primarily to avoid an allocation when it isn't needed. for a "nice" piece of cdata which is in one chunk, this can usually avoid an allocation.
allow non-absolute URIs to occur in some of the requests. RFC 2518 states that the Destination: header (used in MOVE/COPY) must be an absolute URI, so it keeps that constraint.
Fix up the auto-versioning stuff. The new scheme more closely matches the intent of DeltaV draft 14, simplifying some previous assumptions. Includes some heavy fixes to MOVE/COPY in a versioning world. Fix to CHECKOUT when a working resource is not created (checkout in place) Submitted by: John Vasta <jvasta@rational.com>
Backing my earlier change out; There exists the possibility for ap_parse_uri_components to not fill in the port field in certain cases, i.e. wherein the uri begins with /
Since ap_parse_uri_components() now guarantees port will be filled in, this is no longer needed in dav.
Patch to sync with some changes to mod_dav 1.1: *) revamp the set_target stuff -- latest draft calls this UPDATE *) update the CHECKIN method handling *) liveprop providers can catch/define "core" properties before the core gets a chance. Submitted by: John Vasta <jvasta@rational.com> Reviewed by: Greg Stein
*) mod_dav.c: allow PUT to a WORKING resource (this actually the only valid place to do a PUT(!)) *) util.c: add a comment. allow validation to proceed without a lock database (the rest of the code supported it; one erroneous check disabled that work) *) util_lock.c: allow dav_unlock() to be a no-op when a lock provide isn't present; this allows DELETE to work.
include apr_lib.h for apr_isspace() definition
Update copyright to 2001
Clean up some of the includes: - explicitly include apr_lib.h since ap_config.h doesn't - use apr_want.h where possible - use APR_HAVE_ where possible - remove some unneeded includes
renaming various functions for consistency sake see: http://apr.apache.org/~dougm/apr_rename.pl PR: Obtained from: Submitted by: Reviewed by:
Revamp the CHECKOUT method handling and various support functions for it. Basically, the original CHECKOUT was based on a really old draft of the DeltaV specification. This brings it up to date. *) get_resource hook now takes an optional label name and/or a flag on whether to use the DAV:checked-in property; if either one is provided, then a version resource is looked up and returned. WARNING: the parameter types are now the same, but have very different semantics. this means you won't get a compile error to figure out that something needs to be changed here. *) mod_dav.c::dav_get_resource no longer cahces the fetched resource in the request userdata. Some requests will call this function multiple times, for different resources -- we don't want to keep returning the same resource (no idea how this ended up working). *) dav_get_resource()'s parameters have been updated. target_allowed is old terminology; it is now label_allowed. The target paramter is obsoleted by the simple use_checked_in flag. *) dav_get_target_selector() is obsolete. XML element processing is done within the CHECKOUT method (i.e. only where it occurs). The other half of the old function was to simply fetch the Label: header. *) DAV_TARGET_SELECTOR_HDR is now DAV_LABEL_HDR *) dav_method_checkout() now processes all the various options for a CHECKOUT method and either modifies the initial resource lookup, or passes the data to the checkout hook function. *) the checkout hook grew a bunch of new parameters *) new utility function: dav_xml_get_cdata() to gather up all the CDATA from an XML element. this is used to extract DAV:href values. (probably move to util_xml.c at some point)
Provide a way to allow get_resource and get_parent_resource to return errors that might occur during the parsing of the URI and/or the lookup of the resource in the repository. Specifically: return a dav_error* and move the returned dav_resource* to an "out" parameter of the hook function.
The local_addr and remote_addr fields in the conn_rec are now apr_sockaddr_t * instead of sockaddr_in. This is a small step towards IPv6 support.
*) fix subtle crasher in COPY method *) update sub-request-creation calls to include new "next filter" arg
Apply a patch from John Vasta for adding (some/more) DeltaV support to mod_dav. The patch applied and compiled cleanly, so I'm committing. Any necessary changes from a review will come later, so that we can easily track what needed to change (and can be back-ported to mod_dav 1.1). Submitted by: John Vasta <jvasta@rational.com>
final round of walker cleanup: fix the provider API to match what is Right.
first round whack at cleaning up the walker interface
Here it is, mod_dav should build quite nicely on Win32 (two last mild warnings to contend with.)
forward-port John Vasta's checkin to mod_dav 1.1.x (on Sep 25, 2000). this begins some work to upgrade the versioning support to some of the more recent drafts. - get_resource hook has new params - create_collection hook no longer takes a pool - new dav_auto_version_info structure to group up autoversion rollback/commit handling data - new functions for getting workspace, target-selector, etc - supportedlock hook now takes the resource in question (since different resources may have different locks) - new resource types; tweaks in props.c to support them - some tweaks with resource creation, Location header, etc.
update the WebDAV versioning support: - recognize and dispatch the latest set of DeltaV methods - refine the CHECKOUT provider hook - add avail_reports provider hook - fix the "target" resolution mechanism
Updated patch to fix compile warnings from not including apr_strings.h Submitted by: Joe Orton <joe@orton.demon.co.uk> Reviewed by: Bill Stoddard
prefix libapr functions and types with apr_
Add APR_EOL_STR for a platform specific text delimiter, provided by apr.h (defined in apr.h.in and apr.hw). This is needed -only- in APR created files (true raw files) such as logs. It is not required in any splat to screen (stderr/stdout) formatting, nor any html markup. Some other modules slipped through in the prior apr_strings.h commit. Sorry 'bout that. PR: Obtained from: Submitted by: Reviewed by:
Joe Orton writes: This updates mod_dav for the util_xml changes posted previously: * dav_xml -> ap_xml, and dav_text -> ap_text renaming * Add 'dav_elem_private' to hook mod_dav-specific info up to the parsed XML tree. Initialize this in several places, I think I got all necessary? [gjs: yes, you did] * Removal of the old "gross_hack", and all the XML code that was moved into util_xml Submitted by: Joe Orton <joe@orton.demon.co.uk> Reviewed by: Greg Stein
misc const cleanups and others issues found using maintainer-mode
(initial errors found by Ryan Bloom).
also switch to use new command table initializer macros.
get the DAV stuff to compile for Apache 2.0. some unpleasantries are in
there, but it *does* compile.
first, obvious step: alter the license/copyright on all mod_dav files.
initial checkin of the new Apache DAV code. this is a pristine copy of mod_dav 1.0.1 (tag "V1_0_1" in the mod_dav CVS repository). For historical information about these files, see the (old) mod_dav web site at http://www.webdav.org/mod_dav/. CVS repository information can be located from those pages.
This form allows you to request diffs between any two revisions of this file. For each of the two "sides" of the diff, enter a numeric revision.
| infrastructure at apache.org | ViewVC Help |
| Powered by ViewVC 1.1.26 |